Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Okay I know I've got several problems on my computer. Maybe you guys can help.

Internet explorers home page has been Hijacked, Firefox has some sort of back door activity going on with it( so far Opera seems fine so thats what I'm using), and Mozilla Thunderbird seems to be having some backdoor problems as well. I was first infected two nights ago when I clicked a link and something downloaded. I proceeded to try and fix the problem on my own with no success, I got tired went to bed but left the computer up. I woke up the next morning and several applications had been opened on there own like paint, calc, and the MS DOS box. In the MS. DOS box was "Ping http://www.sexkings.nu" . It appears somehow someone was pinging http://www.sexkings.nu with my computer! Now I know a little about computers but am only just begining to learn. Why and how was someone or something remotely using my DOS box to ping the address sexkings.nu?
So I proceeded to try to fix the problem some more, I'm stuborn and want to learn about computers so this was a perfect opportunity. Then all of a sudden calc opens up on its own again! Now that is freakky.
Please help and share what ever cool computer info you can. ( I don't just want to fix my computer I want to learn)

If you need more info let me know I have done an online check with semantic and kept record of them. I also have numerous programs like adaware and spybot and so many more. Just let me know what you need and what I should do. Thanks

I am sorry to inform you that you have multiple infections: Bube.d, a.k.a Win32.Beavis, and about:blank. About blank respawns and the bad files are changed everytime the computer is rebooted. It's best if it's cleaned at one go. So, I would suggest that we get the Bube.d out of the way first and then deal with the about:blank. In the mean time, don't use Internet Explorer, continue using Opera for downloading any program needed for the fixes and for communicating with us, etc.
Bube.d needs a special 'process' to remove. It is described here in a post by CalamityJane. Please follow that - and then post back here with a new hijackthis log please.

It's best if we can get this off at one go. So, please follow the instructions very carefully, without missing any. First of all I need you to download some programs for use later. Once the programs downloaded, you'll have to disconnect from the internet and unplug your modem. So, read through the instructions very carefully, print them out, and if you have any questions, post them here before you start. Let's go:

Download and install Ewido Anti-Malware During the installation, uncheck the following under Additional Options:
Install background guardInstall scan via context menuCheck for updates but do not run it yet.

================================================

We'll need to disable realtime scanners so that they will not interfere with our fixes.

Disable TeaTimer:
Please disable TeaTimer as it may hinder the removal of some entries. You can re-enable it after you're clean. To disable TeaTimer:
" Run Spybot-S&D
" Go to the Mode menu , and make sure "Advanced Mode " is selected
" On the left hand side, choose Tools -> Resident
" Uncheck "Resident TeaTimer " and OK any prompts
" Restart your computer.

Disable Microsoft AntiSpyware1. Open Microsoft AntiSpyware.
2. Click on Options> Settings.
3. In the left pane, click on Real-time Protection.
4. Under Startup OptionsuncheckEnable the Microsoft AntiSpyware Security Agents on startup (recommended).
5. Under Real-time spyware threat protectionuncheckEnable real-time spyware threat protection (recommended).
6. After you unchecked these, click on the Save button and close Microsoft AntiSpyware.
7. Right click on the Microsoft AntiSpyware Icon on the taskbar and select Shutdown Microsoft AntiSpyware

It's important that you re-enable them later once the fix is completed.
================================================
Ensure hidden files and folders are set to show;

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Please disconnect from the Internet and unplug your modem for the duration of this fix. Please make sure that you have printed the rest of these instructions.

=======================

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

======================

While in Safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

======================

Then Open CWshredder that you downloaded in the first step. Close all browser windows and click on the fix>next button.

======================

Bring up task manager Ctrl-Alt-Del and end this processes if it is present :

C:\WINDOWS\ALCXMNTR.EXE

======================

Now run hijackthis and click the scan button, when it has finished scanning put a check against the following.

Make sure that all other windows other than HijackThis are closed and click 'fix checked'Exit HJThis but stay on Safe Mode.

====================

Clean temp files:

The following step is important as you may have several malware files in your temp directories.

Using Windows Explorer, navigate to the following folder and open the folder. Go to Edit>copy all>delete all to empty the folder.

C:\DOCUME and SETTINGS\Owner\LOCAL SETTINGS\Temp (do this for every user)

Still in Safe Mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

====================

Run about buster:

Now press Windows key and E key at the same time to bring up Windows Explorer and navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

==========================================================

Run Ewido.

Click on ScannerClick on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OKWhen it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

===============================================

Still in Safe Mode, Using Windows Explorer, find and delete the following files and folders in bold, if found: Be careful not to delete anything else.

" Hoster" Unzip Hoster.zip
" Open Hoster.exe
" Then click on "Restore Original Hosts"
" Close program when complete.
" Empty Recycle Bin
" Reboot and "copy/paste" a new log file into this thread, after completing any other instructions given

Warning: if you use a customized hosts file to block certain sites then this will overwrite all those entries as well and you will need to re enter them

=============================================================

Finally, run Panda's ActiveScan and perform a full system scan.
" Once you are on the Panda site click the Scan your PC button.
" A new window will open...click the big Check Now button.
" Enter your Country.
" Enter your State/Province.
" Enter your e-mail address.
" Select either Home User or Company.
" Click the big Scan Now button.
" Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
" Click on Local Disks to start the scan.
Upon scan completion, if anything malicious is detected, click See Report, then click Save Report and save it to your Desktop.

================================================================

Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 6 .

Welcome back. It's been about a week since I heard from you the last time. With this infection, the files change everytime you restart your computer thus making it more difficult to fix. So, I am not sure if the fix I wrote up would still work. When you have time and are ready, please post a new HijackThis log and don't reboot your computer until the infection is cleaned.

(I accidentally posted this somewhere else as well)
Okay, I rebooted in normal mode and wasn't able to do anything from normal mode. It takes five minutes for anything to happen in normal mode. So I'm communicating with you from safe mode with networking.
I have a hijact this log, and an exido log, about buster says it successfully removed stuff but it didn't offer me a log and at the end it says it had an error : Run-time error '339' Component 'comctl32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid. It says it found a CWS infection.

I am unable to see the running processes because the HijackThis log is generated in Safe Mode. Neither Spybot nor HijackThis needs to run at the start up which seems to be the case. Both of them are trying to scan, while the other programs are trying to load, would slow the computer down. Open Spybot. Go to settings>Automation and unchcek "run check on program start". Make sure that under system start "no automation" is checked.

Next, run HijackThis, click on Config button, under the main tab, make sure that "run HijackThis at startup and show it when items are found" is unchecked.

Restart your computer. Scan with hijackthis and post a new log from Normal Mode, please.

I'm still trying in normal mode but not achieving anything. I click on the start button and it takes litteraly anywhere from 5 to 30 minutes for it to bring anything up. I did manage to change the spybot settings, that took half a day. Then I click on hijact this and that never finishs loading. Any advice to speed things up? I'm dying here.

I see this C:\fixwareout\SUB\BFU.exe in your log, which tells me that you've had wareout infection at one time and tried to clean it. I am afraid it did not get cleaned. This is a very stubborn infection. The computer will have to be kept on until it's cleaned, otherwise the files change at every reboot to escape detection, just like the about blank infection you had. You can disconnect from the internet, but you musn't reboot unless told to do so. All that said, let's try the following in Safe Mode. You may need to copy/paste these instruction on a notepad on your desktop and also print them so that you'll have access to them at all times.Disconnect from the internet now.

Because the log is from Safe Mode, I cannot see the running processes, but it looks like you have several antiviruses running, one showing up at the startup. : Kaspersky, AntiVir and EZ Trust. It's not a good practive to have more than one antivirus running at the same time. They conflict with each other and leave the computer vulnerable, may even cause crashes. Please decide on ONE antivirus program and uninstall/remove the others from the Add/Remove Programs.

Go to Start>Control Panel>Add/Remove Programs and look for a program called Search Assistantant. If found, uninstall/remove the program.
While you are there, remove the antivirus programs that you've decided to remove.

Next, in Safe Mode run HijackThis and put a checkmark against the following entries:

Save the file to the desktop as remove.bat and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on remove.bat.

Clean the temp files in safe mode

Click Start>>>Run
Type into the box: cleanmgr.exe
Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:
Temporary Files
Temporary Internet Files
Recycle Bin

Also in Safe Mode navigate to the C:\Windows\Temp folder.
Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box.
The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options.
On the General tab under "Temporary Internet Files" Click "Delete Files".
Put a check by "Delete Offline Content" and click OK.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.

Empty the Recycle Bin.

Now, reconnect to the internet. Try rebooting in Normal Mode now. If successful, run an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.

Once the scanner is installed and the definitions downloaded, click Next.

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (If available otherwise Standard)

Scan Options:

Scan Archives

Scan Mail Bases

Click OK

Now under select a target to scan select My Computer

The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Copy and paste that information in your next post.

Scan with HijackThis and save the report.

Post back the new HijackThis log and the Kaspersky scan result, and please do not reboot your computer until the next set of instructions.

Scan Statistics:
Total number of scanned objects: 34474
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 1153 sec
No malware has been detected. The sections that have been scanned are CLEAN.

In task manager I was looking at the running processes and found some troubling things.

Process File: system.exe
Process Name: Trojan.Mitglieder.B

Description: system.exe is a process which is registered as the Net Controller 1.08 Trojan, Trojan.Mitglieder.B, the Agent-EN Trojan and the Trojan.StartPage Trojans. This Trojan allows attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.

Description: csrss.exe is the main executable for the Microsoft Client/Server Runtime Server Subsystem. This process manages most graphical commands in Windows. This program is important for the stable and secure running of your computer and should not be terminated.

Note: csrss.exe is also process which is registered as a number of mass mailing worms and trojans. These viruses are distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worm has it’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
-------------------------
Process File: smss.exe
Process Name: Session Manager Subsystem

Description: smss.exe is a process which is a part of the Microsoft Windows Operating System. It is called the Session Manager SubSystem and is responsible for handling sessions on your system. This program is important for the stable and secure running of your computer and should not be terminated.

Note: smss.exe is also a process which is registered as a number of trojans and mass mailing worms, and the PWSteal.Wowcraft.B Password stealer. These Trojans allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
-------------------------
Process File: inetinfo.exe
Process Name: IIS Admin Service Helper

Description: inetinfo.exe is used primarily for debugging Microsoft Windows Server Internet Information Services. This program is important for the stable and secure running of your computer and should not be terminated.

Note: inetinfo.exe is also a process which is registered as the Trojan.W32.RONTOKBRO. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open it’s hostile attachment. The worm has it’s own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. It is a registered security risk and should be removed immediately.
--------------------------------------

And that isn't everything but it is late. I'm going to run an antivirus program and then go to sleep.
I hope my computer is okay

The files you've reported to be running in the Task Manager are essential files, except system.exe, for the Windows to operate They are only harmful when they are running from a different directory than they are supposed to be. In your case, they are running from the correct directory. Your log is clean. Kaspersky report is clean.

I can not find system.exe anywhere in your log. Are you sure about that one? Are you sure that it's not only SYSTEM or System Idle Process?

I have questions now. Is my system clean? Why does Registry Tool kit say that I have 115 or so errors? How do I fix these errors without having to pay for anything (like buying Registry Toolkit)?
When all this started why was my computer pinging someone, what does that mean, and why was my calc opening and closing of its own accord?

I'm currently going to college for Network and Security Management but I haven't gotten to all the good stuff yet so I don't know any of this fun virus and worm stuff yet. How does it all work, is there a good website that will explain it all?

Why is my floppy drive not working now? I went into Device Manager and it said : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)

>So I did uninstalled and reinstalled and it says the same thing.

You guys are great by the way. What do I have to do to join your University and learn to help others like you guys helped me?

Why does Registry Tool kit say that I have 115 or so errors? How do I fix these errors without having to pay for anything (like buying Registry Toolkit)?

I wouldn't know why the Registry Tool Kit says that you have errors. It's not a malware tool, it's a registry tool. One should not play around with the registry unless one knows exactly and very well what he/she is doing.

When all this started why was my computer pinging someone, what does that mean and why was my calc opening and closing of its own accord?

. It may have been done/caused by the malware.

I'm currently going to college for Network and Security Management but I haven't gotten to all the good stuff yet so I don't know any of this fun virus and worm stuff yet. How does it all work, is there a good website that will explain it all?

Why is my floppy drive not working now? I went into Device Manager and it said : Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39) So I did uninstalled and reinstalled and it says the same thing.

I would suggest that you visit a forum which deals with hardware and software issues like PCPitStop. Please let them know you visited this board and tell them that we have given you the all clear as regards to malware. I hope you can get your problem fixed

You guys are great by the way. What do I have to do to join your University and learn to help others like you guys helped me?

Just sign in and start training.

Now that you are clean, or seem to be, please follow these simple steps in order to keep your computer clean and secure.

Disable and Enable System Restore If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you put Windows back to such a restorepoint, this malware will be put back, as well.

This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)
1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.

And that's all. But to help protect you against further infections, and also to help prevent criminals using your computer to infect other people's computers on the web, I recommend the following: (You may already have some of the items)

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to PromptChange the Download unsigned ActiveX controls to DisableChange the Initialise and script ActiveX controls not marked as safe to DisableChange the Installation of desktop items to PromptChange the Launching programs and files in an IFRAME to PromptChange the Navigate sub-frames across different domains to PromptWhen all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.If you haven't got a antivirus, you can download and install one of the following free ones: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

It is essential to keep the anti-virus program fully updated. New virus infections are being produced all the time, and unless the program downloads the latest 'definitions', it cannot protect you against the newer versions. If you want to check for updates manually I'd recommended doing so at least once a week. However, a better option is to set the program to download and install updates automatically every time you are connected to the Internet. The first time you use it, please set it to perform a full system scan.IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site <http://windowsupdate.microsoft.com/> to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site <http://office.microsoft.com/officeupdate/maincatalog.aspx?lc=en-us> and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them allready):
AdAwarehereSpybothere Remember to "immunize" after each update
Microsoft Antispywarehere

Install realtime pestware-scanners and keep them up-to-date.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlasterhere Remember to "enable all protection" after each update.
SpywareGuardhere

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet.
If there is no firewall installed on your computer, you can download and install one of the following free firewalls:
ZoneAlarmhereSygatehereKerio Personal Firewall (Will be discontinued as from the end of 2005) hereOutposthereImportant: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
Â· Fraudulent claims or scams
Â· Offensive material
Â· Security vulnerabilities
Â· Spyware or Adware
Â· Spam related material
Â· or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite hereMozilla Firefox hereOpera hereNetscape hereImportant: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, fe. most of the Online Malware-scanners.

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.